Demys respects the trust placed in it to use, store and share information from which natural persons can be directly or indirectly identified, described in this notice as “personal information”. This statement describes how Demys collects personal information, how it is used and how such persons can interact with Demys regarding it. Demys’ intent is to process personal data in the least intrusive manner possible and in accordance with the law.
- 1. Demys
- 2. Data Protection Officer
- 3. Collection of personal information by Demys
- 4. Safety and security of personal information
- 5. Length of retention of personal information
- 6. Basis of processing
- 7. Consent
- 8. Use of personal information by Demys
- 9. Personal information held by Demys and third parties
- 10. International transfers of data
- 11. Personal information rights
- 12. Making a complaint
- 13. Updates to this notice
In this statement, “Demys” refers to Demys Limited, a company incorporated in Scotland under the Companies Acts of the United Kingdom under registered number SC197176 and having its registered office at 33 Melville Street, Edinburgh, EH3 7JF.
Demys shares personal information received from its clients with registry and registrar partners, certificate authorities and dispute resolution providers to allow it to provide domain name management and related services, comply with regulatory and legal requirements, and improve its products. It is often essential to the making of a domain name registration or the ordering of an SSL certificate and the implementation of the underlying contract that such personal information is supplied to the providers of the services concerned. Such personal information is used to allow network operators to ensure network and information security and to contact one another with regard to systems connected to the public Internet to ensure smooth functioning of these systems. It is also used by law enforcement agencies or parties engaged in civil enforcement to contact the registrant (such as in cases of potential trade mark infringements).
Demys processes and shares personal information obtained in connection with its brand protection activities with its clients to allow it to report to and advise them regarding activities on the Internet which may infringe their civil legal rights or which involve the detection of crime. Demys processes and shares such personal information in the public interest to prevent crime and to support the lawful interests of its clients in connection with protecting their brands online.
2. Data Protection Officer
Demys has not appointed a Data Protection Officer under the applicable legislation because its core activities do not require large scale, regular and systematic monitoring of individuals or large scale processing of special categories of data or data relating to criminal convictions and offences. However, Demys’ Company Solicitor has a non-statutory internal compliance role to review the collection, use, sharing and protection of personal information. Demys’ Company Solicitor may be contacted in writing. Correspondence should be marked ‘Data Protection Enquiry’ and addressed to ‘Company Solicitor’ at the registered office address noted above.
3. Collection of personal information by Demys
Demys collects personal information when individuals or companies instruct the provision of services, seek advice or make requests to it. The primary purpose of the collection of such personal information is to support the provision of services, for example, to obtain personal information where this is required by a registry or registrar operator; or to provide an audit trail of client instructions or client activities using Demys’ services which may subsequently be used to identify which individual took a particular action or made a particular instruction. Demys may collect personal information to identify or authenticate its clients or their representatives. Where such personal information is collected, consent will be sought from the individual concerned. Demys does not collect personal information relative to children who do not have the capacity to contract and cannot therefore register a domain name or receive Demys’ services.
Demys may collect personal information via its website or related communication technologies such as telephone calls, online platforms, through market research and CCTV footage. Demys may also collect such personal information via its brand protection processes which are intended to identify the operators of online services infringing its clients’ civil legal rights or which may be engaged in criminal activities. Demys may record telephone conversations verbatim or the nature of such conversations in summary form to support its brand protection activities.
Demys’ websites use ‘cookie’ technology. Such cookies are text files placed by Demys’ server on a third party device interacting with it, such as when a client makes use of Demys’ website or online platform. Such cookies assist in authenticating the user of the device concerned for the protection and safety of Demys’ clients.
Demys may carry out personal information searches when identifying prospective clients or discussing the potential provision of services to a prospective client and afterwards, should such client proceed to engage Demys in the provision of such services. This may involve verification of identity, credit reference checks (involving sending personal information to credit reference agencies), domain name searches intended to establish the extent of a prospective client’s online presence and searches of fraud prevention agencies. Only some of this activity will involve processing personal information, and with regard to domain name registrations this will only be the case where the public Internet or registrar/registry databases contain such personal information. Records of such searches may be retained by Demys or such agencies whether or not Demys is engaged by a prospective client in order to provide an audit trail of due diligence in the pre-sales activity.
Demys will assume, unless told otherwise by a prospective client, that such prospective client has sought the consent of any person listed on such prospective client’s domain name data to the scanning by Demys of the domain name estate from the public Internet or registrar/registry data as part of its pre-sales activity. Demys’ personnel have no way of knowing whether such domain name estate may contain personal data until scanning commences.
4. Safety and security of personal information
Demys endeavours to protect all personal information which it holds via security measures conforming to the laws that apply in its jurisdiction(s). Demys endeavours to keep its computer systems, files and physical premises secure. The nature of the Internet is such that Demys cannot guarantee or warrant the security of personal information which is transmitted to it by the data subject via the Internet. However, Demys will endeavour to take reasonable steps to protect such information once it is in Demys hands following such transmission.
Demys may require any person enquiring about their personal information to identify themselves when they make contact. The purpose of that process is to ensure that personal information is only divulged to the correct person.
5. Length of retention of personal information
Demys holds its clients’ and/or their representatives’ personal information, along with personally identifiable data relating to those clients or representatives, for the full duration of the client relationship. Demys holds data for a longer period to meet regulatory requirements and to protect itself against civil claims. Demys holds data obtained in connection with its brand protection service for the amount of time necessary to establish the rights and remedies of its clients including a reasonable period which may be required to establish a pattern of abusive registrations or other abusive online activity. This is necessary because many dispute resolution policies encourage complainants to report multiple instances of abusive registration by a registrant in order to establish that the registration(s) complained about are themselves abusive. Demys does not hold personal information for longer than it is necessary to do so.
Demys will hold personal data for as long as any action made by the data subject is still reflected on a currently live certificate, domain name or any other Demys system that will directly affect services provided to a client. In order to ensure that such holding is proportionate and does not outweigh the data subject’s rights and freedoms, Demys conducts annual reviews with selected clients to ensure their list of contacts remains accurate.
6. Basis of processing
Demys seeks at all times to process personal information on a lawful basis. It may rely on one or more of the following legal bases:
- the performance of a contract;
- compliance with a legal obligation to which Demys is subject;
- protecting the vital interests of the data subject or others;
- the performance of a task carried out in the public interest;
- in the legitimate interests of Demys or those of its clients, prospective clients or other third parties; and
- with the consent of the data subject.
To meet regulatory and legal obligations, Demys will collect personal information, verify it, keep it up to date through regular checks, and delete it once it is no longer necessary to retain it. Demys may also gather personal information from third parties to assist it in meeting its obligations. If a data subject who is directly connected with the provision of Demys’ services to a client (such as an official client contact person) does not provide the information required, or fails to assist Demys in keep it up to date, Demys may be unable to provide the client concerned with its products and services.
Demys may require to seek the consent of data subjects to use their personal information. Demys may seek consent, for example, to make data subjects aware of products and services which may be of interest to them. This may be done by phone, post, email, text or through other digital media. Data subjects have the right to determine the volume of direct marketing which they wish to accept from Demys when seeking new products and services and will have the opportunity to opt out of receiving this when contact is made. Data subjects can remove their consent at any time by issuing a request in writing. The withdrawal of consent should not however be used as a method of circumventing Demys’ duty to provide professional advice to its clients and in the event that all client contacts withdraw consent, Demys reserves the right to terminate the client relationship.
If Demys uses sensitive personal information about a data subject, such as medical or biometric data, Demys will request informed consent. This means that Demys will also tell the data subject what personal information is being collected and the purpose for which it will be used. Consent can be withdrawn by contacting Demys.
8. Use of personal information by Demys
Demys uses personal information to:
- provide relevant products and services;
- identify ways in which Demys can improve its products and services;
- maintain and monitor the operation of clients’ products and services;
- protect Demys’ interests and the interests of its clients including in particular their civil legal rights;
- meet Demys’ or its clients’ legal and/or regulatory obligations including in particular any obligations to domain name registries, certificate authorities and registrars; and
- decide and recommend how its products and services might be suitable for clients and prospective clients.
To provide products and services in accordance with its terms and conditions, Demys requires to collect and use personal information about data subjects who are, or are connected with, its clients. If such personal information is not provided by such data subjects, Demys may be unable to provide services to the relative client. Data subjects will be asked to acknowledge, for and on behalf of any client in respect of which the data subject is authorised to instruct Demys, that Demys will not be liable for any damage caused consequent upon the data subject withdrawing consent to use personal data for client support purposes.
Demys may contact a domain name registrant or other client to provide information about the services offered to the person or company whom the person represents, to confirm details of any requests made by such person, to grant access credentials to Demys’ systems where an audit trail is recorded for any action, to verify requests made by third parties, to provision services as requested, which may include disclosing personal data to third parties as outlined in this privacy statement, and to provide its clients or registrants with industry related news or products that may impact their businesses.
Demys conducts research and monitoring based on personal information collected relative to its client accounts through clients’ use of its products and services and on its social media profiles, apps and websites. This assists Demys in understanding its clients’ behaviour, how Demys and its services interact with such clients and Demys’ position in its market place(s). Examples of how this personal information may be used include assisting in the protection of clients and third parties from crime or from civil wrongs (such as online trade mark infringement), improving Demys’ services, offering clients and prospective clients products and services and personalising their experience.
Demys may report trends which it identifies from research or monitoring to third parties and to clients. When such trends are reported, personal information will be removed unless it relates directly to the client concerned, such as the provision of an audit trail to a client which includes personal information of the client contact(s) nominated by such client. Unless the report involves such nominated contacts, no personal information in such reports will identify contacts at Demys’ clients.
Demys may use automated technology to help its clients make informed strategic decisions regarding the extent of online civil wrongs or criminal activities detected by Demys. Before such decisions are made, data sourced from the public Internet about domain names, websites or other online platforms, which may include personal information, may be subject to automatic or rule-based prioritisation and profiling. The logic used in such profiling automates the prioritisation of enforcement action based on patterns of abusive behaviour or repeated violations of civil rights.
Demys reserves the right to transfer personal information to a third party in the event of a sale, merger, liquidation, receivership or transfer of all or substantially all of Demys’ assets provided that the third party agrees to adhere to the terms of Demys’ policies regarding the use of such personal information and provided that the third party only uses such personal information for the purposes that it was provided to or collected by Demys. Where required by law, Demys will notify data subjects in the event of any such transfer and such data subjects will be afforded an opportunity to opt-out of the transfer.
9. Personal information held by Demys and third parties
Demys may share personal information which it holds with third parties, in order for example to:
- provide products, services and information;
- analyse information;
- research the client experience;
- collect or transfer debts;
- transfer the whole or part of Demys’ business;
- prevent crime and civil wrongs;
- help trace, investigate and recover a client’s domain names;
- trace information; and
- protect Demys and its clients’ interests.
Demys may share personal information with credit reference agencies to assure itself of the credit worthiness of a prospective client.
Demys may disclose personal information to:-
- Top Level Domain (TLD) Registry Operators for the purpose of registering domain names where it is specifically required or requested that such personal data be provided;
- If any such domain name exists this data will also be provided to the Registrar Escrow provider (https://www.icann.org/resources/pages/registrar-data-escrow-2015-12-01-en) both by Demys and the applicable Registry Operator;
- Partner Registrars for the purpose of registering domain names where Demys does not have a relationship with Registry Operators directly;
- Local presence proxy providers if a there is such a requirement for a specific domain name; and
- SSL Certificate partners and applicable certificate authorities, for the purpose of issuance, validation and operation of SSL certificates.
- Providers of dispute resolution services, and law enforcement agencies to prevent crime and civil wrongs.
Such data will include as a minimum a client contact’s full name and email address with the option to provide a telephone number, postal address and organisation affiliation if different from the company for whom such person acts as contact.
Personal information which Demys has collected as part of its brand protection activities which features potential civil wrongs or criminal activity will be shared with the affected clients, fraud prevention agencies and/or clients’ legal advisers. Such personal information will be used to protect the client’s legitimate interests and to prevent crime. It may be protected by professional privilege or equivalent concepts under applicable legislation. Where the possibility of criminal activity is detected, this may be reported to the competent law enforcement authorities by Demys or its clients. Demys may also report potential breaches which Demys has detected of third party supplier contracts such as hosting, registration agreements or related policies to such suppliers, which may be either in or outside the UK, where this is necessary for the protection of its clients and the public. A report of such breach may involve the disclosure of personal information (so far as known to Demys) where this is necessary for the third party supplier to identify its customer.
Any third parties to whom personal information is disclosed, including Demys’ clients, are expected to have the same levels of personal information protection as Demys. Demys cannot and does not know whether third party suppliers of hosting, registration or other related services to a customer, which may be in violation of its agreements or related policies, have a suitable level of personal information protection. It is however presumed that all such suppliers will comply with the law in their respective jurisdictions.
Demys may require to share personal information with third parties to meet any applicable law, regulation or lawful request. Demys will cooperate with government and law enforcement officials and private parties to enforce and comply with the law. Demys will disclose such personal data to government or law enforcement officials or private parties as it, in its sole discretion, believes necessary or appropriate to respond to claims and legal process (such as citations from courts of competent jurisdiction), to protect Demys’ property and rights or the property and rights of a client or third party, to protect the safety of the public or any person, or to prevent or stop activity which Demys considers to be illegal or unethical. Demys will take reasonable steps to notify the data subject of any such disclosure, to the extent it is legally able to do so, unless such notification would not be in Demys’ clients’ legitimate interests.
Demys will share personal data to the extent necessary to comply with ICANN or country code top level domain name rules, regulations and policies when the data subject registers a domain name via Demys or supplies such information on behalf of one of Demys’ clients for the purpose of domain name registration or the provision of another Demys service.
10. International transfers of data
Demys may transfer personal information outside of the European Economic Area (EEA) to assist it in the provision of its products and services. The same standard of data protection will be applied outside the EEA to these transfers and the use of the personal information, to ensure that the rights of data subjects are protected. If an overseas domain name registry requires the transfer of personal data but cannot provide a suitable standard of data protection and is not the subject of an adequacy decision by the European Commission, Demys will be unable to provide the service concerned.
11. Personal information rights
Data subjects may exercise their rights by contacting Demys’ Company Solicitor in writing. Correspondence should be marked ‘Data Protection Enquiry’ and addressed to ‘Company Solicitor’ at the registered office address noted above. Where the law requires, dependent on the data concerned and Demys’ reasons for processing, Demys will assist data subjects in:-
Accessing their personal information: A data subject may request Demys to supply a copy of the personal information held and to enquire as to how this is collected, shared and used.
Updating and correcting their personal details: A data subject may request Demys to update such personal details as it holds.
Removing their consent: Where consent is required to process data, a data subject can decide to withdraw consent.
Restricting and objecting to automated decision making: Where personal data is used for automated decision making, in certain circumstances the data subject may have the right to restrict or object to Demys using such personal information or using automated decision making.
Deleting their personal information (the right to be forgotten). A data subject may request Demys to delete their personal information.
Moving their personal information (the right to Portability). Where possible and requested, Demys may share a digital copy of a data subject’s personal information directly with them or another organisation. Any such request will be provided in a machine-readable format determined by Demys.
When data subjects contact Demys to enquire about personal information, they may be asked to identify themselves in order that Demys may protect the personal information concerned. Depending upon the nature of the enquiry, Demys may agree with the data subject’s request or explain why it is unable to do so.
Demys generally does not make a charge when a data subject makes an enquiry regarding personal information.
12. Making a complaint
Where data subjects have a complaint about Demys’ use of their personal information, they should in the first instance write by email to firstname.lastname@example.org in order to provide an opportunity for Demys to address the query as quickly as possible. Complaints should be made by contacting Demys’ Company Solicitor in writing. Correspondence should be marked ‘Data Protection Complaint’ and addressed to ‘Company Solicitor’ at the registered office address noted above. All complaints received will be fully investigated. Complainants should supply as much information as possible to assist in a swift resolution of the complaint concerned. Demys recommends that written complaints are sent by recorded delivery or any equivalent postal method which provides evidence of receipt.
While Demys encourages data subjects to come to it in the first instance, they may also contact the United Kingdom Information Commissioner’s Office directly at www.ico.org.uk for support and guidance.
13. Updates to this notice
Demys may amend this notice from time to time, particularly when there are changes to the manner in which personal information is used, or to technology, products and services.
An up-to-date version of this notice will be available at all times on Demys website at www.demys.com.